Stop Posting Your Damn API Keys To GitHub

It feels like the security industry at large has been preaching against technical mistakes and mishaps for years. This may be true but somehow here we are with thousands of people still doing dumb and negligent things daily without thinking of the personal or communal impacts. Amidst a sea of warnings, alerts, and notifications that help remind you not to post personal or sensitive information on public sites, or preferably anywhere, it would seem nearly impossible for people to still do things that would allow their entire accounts to be compromised.

APIs (application programming interfaces) are extremely powerful tools for developers that make coding and scripting efforts much easier. APIs also allow you to stay within the parameters that the site or application wish to keep you in while allowing you to interact directly with your authenticated account. Typically, you are granted access to an API through signing up for a site, service, or application and then visiting a specified page to generate a "secret" key or token, often multiple keys and tokens.

THESE KEYS AND TOKENS SHOULD BE HELD TO THE SAME STANDARD AS YOUR ACCOUNT PASSWORD!

The Risk

Individuals that negligently post their API keys to public facing services can face many different outcomes. These include identity impersonated allowing for social engineering of friends and colleagues, posts or uploads being made as the account owner, purchased credits being used up by non-authorized users, or even having their entire account hijacked with very little, if any, possible recourse. There are countless other options that an attacker looking to capitalize on these types of posts can utilize, but these are some of the main use cases.

API keys are often able to bypass traditional as well as additional security measures such as two-factor authentication or captcha as the applications that the keys are generated for often need special permissions to run seamlessly once created and in use. This poses a problem for those that think their account is safe from compromise by using these additional security features. Even if you have alerting set up for your account on anomalous logins these often do not apply to the API usage. If there is anything that vendors could improve regarding further securing account access via API, it would be to alert on anomalous location or usage of API credentials, as it is not their fault in the slightest if someone publicly posts their credentials.

Society at large can be negatively impacted by these API keys being stolen and accounts being taken over. Flaws and human errors such as these are how botnets of all sizes begin to show up, how malware is distributed with some level of legitimacy, how elections are meddled with via social engineering, and how modern cyber warfare can be conducted at a nation state level. Sites can try to fight the good fight and put in countermeasures to stop mass account creation and the like, but if people are going to post their account credentials into the hundreds or thousands for nefarious actors to use for their purposes, then they will always gravitate to the low hanging fruit.

How to Find API Keys on GitHub

Twitter

Tweepy is the API used for developing various Twitter applications. It is a very powerful API in that it can essentially do anything that your account can do. When authenticated through the API you can make or delete posts with links, follow/unfollow, upload pictures, direct message, or nearly any other activity that an authenticated Twitter user can do. Tweepy does nothing to limit the power of the API's functionality for a given set of API codes, which is no fault to them, they want their API to be as powerful and ubiquitous as possible. Tweepy also assumes that you will not publicly post your credentials, allowing for complete account takeover.

To find Tweepy API keys on Github you simply search for the following string in GitHub's search function:
tweepy AND consumer_key

While not every repo in the search will net API keys and even if they do some will prove to be invalid. There is a plethora of keys to be harvested.

Shodan

The Shodan API allows you to interact with your created account in ways similar to most APIs. You can query for discovered assets, search vulnerabilities on the devices, pull various data points, etc. It allows for a much more powerful scripting and data manipulating interface. However, Shodan utilizes a credit system to allow you to use some of the more advanced features or when incorporating a large scope of assets. Shodan users that post their API keys and have credits allocated to their account can have their credits essentially stolen and used.

In Summary

This post is not to take a stab at GitHub, Twitter, Shodan, or any other service that provides a public posting service or an API for developers to use. These companies provide an outstanding service in respect to their given industries. There is nothing special about these platforms, however. StackOverflow, PasteBin, social media sites, smaller technical forums, etc. all very likely have this type of information posted to them. Facebook, Google, Netflix, Amazon, etc. all very likely have their API keys being shared on text sharing sites. The problem is people not taking the time to think about what they are doing, through ignorance or negligence, neither is a legitimate excuse.

Not all mistakes are avoidable, but these kinds definitely are. There's no excuse for people that have the technical skills and know how to write code, post it to GitHub, interact with an API and a myriad of other technical activities, but are just blind to the fact that they shouldn't post the keys to their account to a public facing service that is commonly being scraped and pilfered through.

Before posting your newest script or piece of code to GitHub do a few things: